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(57) For use with a network having server sites ca- 
pable of being browsed by users based on identifier* 
received into the server sites and personal to the users. 
a.i«.i.=.:ivd p.u*y systems torproviotno suusmuie for- 
tifiers to the. serygr sites that allow thejiaaia tpJamwap 
the se"«" anonvrnoH**" via thej>^«csysjejn. A 
central proxy system includes computer-executable 
routines that process site-specific substitute identifiers 
constructed from data specific to the users, that trans- 
mits the substitute identifiers to the server sites, that re- 



transmits browsina commands received from the users 
to the server sites, and that removes portions of the 
browsing commands that would identrfy the users to the 
server sites. The foregoing functionality is performed 
consistently by the central proxy system during subse- 
quent visits to a given server site as the same site spe- 
cific substitute identifiers are reused. Consistent use of 
the site specific substitute identifiers enables^* «ejver 
site to recooDizaajeturninq user and. onssibiy, provide 
personalized service. 
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Description 

TECHNICAL FIELO OF THE INVENTION 

The present invention is directed, in general, to net- 
v^fwtand. more spec.lically, to a system and method 
,na« allows a user 10 bmwse oe rtrm ali M d server re- 
sources on a networ* anonvmnusly. 



BACKGROUND OF THE INVENTION 

The Internet is a well-known collection ol networks 
(a a public and private data communication and multi- 
media networks) that work together (cooperate) using 
common protocols to form a world wide network ol net- 

worKs 

in recent years, the availability ot more efficient, re- 
liable and cost-effective computers and networkwg 
tools have allowed many companies and individuals 
(collectively, •users') to become involved in an ever 
qrowina electronic msrkemlaee. The immeasurable 
L.ns in technology expenenced by the computer indus- 
try overall have allowed these users to rely on commer- 
cially available computers, such as personal computers 
("PCS") to meet their information processing and com- 
munication needs. Tothatend. PC manulacturera equip 
most PCS with an interface that may be used tor com- 
munication over networks, such as the Internet. 

The Internet continues to increase its position as an 
integral place for businesses that offers information and 
services to potential customers. Popular examples of 
such businesseV'are news providers (e.g.. www.cnn. 
com (the Cable News Network), www.nytimes.com (the 
New York Times), www.wsj.com (the Wall Street Jour- 
nal). www.ft.com (Financial Times Magazine), www. 
businessweek.com (Business Week Magazine)); car 
manufacturers (e.g.. www.ford.com/us (the Ford Motor 
Company), www.gm.com (the General Motor Compa- 
ny) www.toyota.com (the Toyota Motor Company)): 
book stores (e.g.. www.amazw.finm (Amazon.com 
books))- software provide.. !**. www.microeort.ccm 
(the Microsoft software company)) and many more. 

Most often, such a business sets up a home page 
on the World Wide Web (a "web-site.' me World wide 
Web is a logical overlay of the Internet). The web-site 
constitute* an electronealV-addressable location mat 
may be usee) for promoting, advertising and conducting 
business. Potential electronic customers use web- 
browsers (e.g.. NETSCAPE NAVIGATOR*. M.CRO- 
SOFT EXPLORER*, etc. ) to access me information of- 
fered on those web-sites. 

An increasing number of web sites offer personal- 
ized services that may include "personalized web pag- 
es* customized t a user's interests, with hyper-links (a 
reference or link from some p int in one hypertext doc- 
ument to some point in another document or an ther 
place in the same document -- otten displayed m some 
distinguishing way (e.g.. m a different color, lont or 



style)) and displayed messages tailored according to 
m.us^spre.erences.Suchpreferencescanbeascer- 

Led by having a user establish an account w.m that 

web-site This allow -*<• » store .mc^.^n 

s about me user's orevious.yt.ua. «..«■«• °y ,ra "'" a 'V* 
hyperWne user -o.Wwed.or through explicit oiaioos 
with me user. For example, the Wall Street Journal p,o- 
v—. - >..~nalized journal* to each user, where me 
sequence and selection of sections is customized. In or- 
•o der to open an account, the user typically has to com- 
plete a form electronically, providing a user name, a 
eis7w5rd.'iH electronic-mail ('email') ««*».»». j>«-. 

.atter is often used by the web-site to send back 
information not provided on the website itself to me us- 

'* 9r Given the inherent lack of privacy of electronic com- 
munication over the Internet generally, and. pa*eularry, 
the World Wide Web. it has long been lelt that a system 
that could ensure private electronic communication 
20 would be highly advantageous. As an example of the 
problem, consider the plight of a customer that would 
like to browse the World Wide Web in a "nvate 
(anonymous) manner, visaing sit- that provide pen- 
alized service. The customer wou« »u oaiaoiisn 
is counis on web-sites without revealing his true identity, 
and without reusing the same user names, passwords. . 
for murine sites. Cuetomers should refrain from reusing 
S. sine user names and passwords at multiple sites 
toavoida security breach at one site toalfect other sites; 
30 additionally, refraining from using such user names and 
passwords limits the ability of multiple sites Iromcollud- 
ing io combine customer information and build doss.ers 
on particular customers. 

Typically, the customer visits many of these web- 
as sites, and inventing and remembering new user names 
and passwords lor each web-site becomes tedious. 
Moreover, many of these web-sites require the custom- 
er to delude his e-mail address with his user name and 
password -- by providing his e-mail address, th cus- 
40 tomer reveals his identity. 

in addition, mere are commercial products available 
that allow web-sites to track their clients and visrtors. 
Such tracking can be made even when no volun tary ^ in- 
formation is provided by me user and «^™>*™« 
45 out Examples ot such systems are 

w^hTavailab.e .torn OPENMARKET. INC and 
•SiteTrack.' which is available from GROUP CORTEX, 
whose advertisement reads as follows: 

•Identify who is visiting your site. Record me actual 
so number o. people mat visit. Find which jHta .My 

and trace the* complete path. Learn wh.ch site users 
came from and which site they depart to... 
These products are made possible because th hyper- 
text transport pr toco. ('HTTP-protocol'). on which me 
55 world Wide Web is largely based, allows specif c .ntof- 
mation to (low back Irom the user to the webj.it This 
Z include .or example, me user's e-ma address, he 
test web-site he came from, and informal about the 
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usefs software and host-computer. Other pertinent «»« r 
mformaticn may be sent by the web-site to I fce user 
browser using what are commonly referred to as cook- 
.esVpieces ol information that web-siles may store at 
the usef s browser). On subsequent visas to the web- 
site, the user's browser sends back information to the 
web-site without the user's Knowledge. 

From the foregoing, it is apparent that what is need- 
ed in the art is a scheme that provides anonymous per- 
sonalized web browsing that satisfies two seemingly 
conflicting objectives, namely, providing user privacy 
and user identification. 

SUMMARY OF THE INVENTION 

To address the above-discussed deficiencies of the 
orior art. the present invention introduces a proxy sys- 
tem that performs two basic functions: (1) automatic 
substitution of uaer-specifc identifiers such that ae-vsr 
sites (ag., web sites, junction points, intelligent portal 
devices, routers, network servers, etc.) within a network 
are prevented from determining the true identity of the 
user browsing (accessing, locating, retrieving, reading 
contacting, etc.) the sites; and (2) automatic stripping of 
any other information associated with browsing com- 
mands that would allow the server sites to determine the 
true identity of the user browsing the-aerver sites. An 
important aspect of the present invention is that the fore- 
gong functions are performed consistently by the proxy 
system during subsequent visits to the sewer site (the 
same substitute identifiers are used on repeat visits to 
the server site: the server site also cannot distnguish 
between information suppHed by the user and the proxy 
system, thus the proxy system is transparent to theserv- 
er site) The present invention therefore not only intro- 
duces anonymous browsing, but also personalization 
based upon the consistent use of substitute identifiers. 

It should be noted that the term true.* as used here- 
in means accurate, actual, authentic, at least partially 
correct; genuine, real or the like, the term 'or,- as used 
herein, is inclusive, meaning and/dc and the phrase 'as- 
sociated with* and derivative* thereof, as used herein, 
may mean to include within, interconnect with, contain, 
be contained within, connect to or with, couple to or with, 
be communicable with, juxtapoee. cooperate with, inter- 
leave, be a property of. be bound to or with, have, have 
a property of. at the like. 

As is described in greater detail hereinbelow. the 
principles of the present invention address the conflict, 
ing objectives of user privacy and user identification de- 
scribed hereinabove by providing a proxy system, a pe- 
ripheral proxy system, and a method of providing sub- 
stitute identifi rs t a server sit that allow users t 
browse the same an nymously via the proxy system. 

In one embodiment, the pr sent invention provides, 
for use with a network having server sites capable of 
being browsed by users based on identifieis received 
into the server sites and personal to the users, a central 



proxy system lor providing substitute dentifiers to the 
server sites that allow the users to browse the server 
sites anonymously via the central proxy system. Accord- 
ing to venous embodiments of the present invention, the 
s substitute identifiers may be suitably constructed by the 
user site or a routine associated with the central site (ad- 
vantageous ways (functions) of constructing the substi- 
tute identifiers are described hereinafter). The exempla- 
ry central proxy system includes: (t) a computer-exe- 
10 cutable first routine that processes (receives, accepts, 
obtains, constructs, produces, etc.) site-specific substi- 
tute identifiers constructed from data specific to the us- 
ers (2) a computer-executable second routine that 
transmits the substitute identifiers to the server sites an* 
is thereafter retransmits orowsi..„ commands .received 
from the users to o» server sites and. (3) a computer- 
executable third routine that removes (and possibly sub- 
stitutes) portions of the browsing commands that would 
identify the users to the server sites. Include* and de- 
» hvatives thereof, as used herein, means inclusion with- 
out limitation. 

In one embodiment, the first of the two above-enu- 
merated basic functions is performed external to the 
central proxy system, while in another it is performed. 
2S at least in part, within the central proxy system. The cen- 
tral proxy system processes and forwards the substitut ■ 
identifiers as appropriate and directly performs the sec- 
ond of the above-enumerated basic functions by strip- 
ping other information that would tend to identify the us- 
30 ers. An Internet Access Provider (ISP*). »uchasNET- 
COMO). ora networking service, such as AMERICA ON- 
LINE* or COMPUSERVE* can advantageously em- 
ploy the central proxy system to provide anonymous re- 
transmission of browsing commands by their users. 
35 It is important to understand that subsequent use of 
the proxy system by a 'same' user to a 'same* server 
site will cause the proxy system to construct (directly or 
indirectly) and use the same (site-specific) substitute 
identifiers. Typically, the proxy system functions as a 
40 conduit communicating messages between the user 
and the server. Depending upon the embodiment, the 
proxy system may remove or substitute some portion of 
messages communicated by the user to the server t 
ensure anonymity. 
4S An alternative advantageous embodiment I tne 
present invention may be provided in the form ol a pe- 
ripheral proxy system designed for use with a network 
having a server site capable of being browsed by users 
baseton identifiers received «to m« *w~---4e-ancv 
so personal to the users The peripheral proxy system 
eludes (1) a computer-executable first routine that con- 
structs a particular substitute identifier from data re- 
ceived from a particular user and (2) a computer-exe- 
cutable second routine that transmits the particular sub- 
ss stitut klentifi r to the central proxy system, the central 
proxy system retransmitting the particular substUute 
identifier t the server site and, thereafter retransm.ttmg 
browsing commands received from the particular user 
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to the server site. According to this embodiment, me first 
routine may be associated, atleast n part with the user 
site, when distributes the basic (unctions of the present 
invention over multiple computer systems. 

The foregoing has outlined, rather broadly, pre- 
ferred and alternative features ol the present mention 
so that those skilled in the art may better understand the 
detailed description of the invention that follows. Addi- 
tional features of the invention will be described herein- 
after that form the subject of the claims of the invention. 
Those skilled in the art should appreciate that they can 
readily use the disclosed conception and specific em- 
bodiment as a basis for designing or modifyng other 
structures for carrying out the same purposes of the 
present invention. 

BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the present 
invention, reference is now made to the following de- 
scriptions taken in conjunction with the accompanying 
drawings, wherein like numbers designate like objects, 
and in which: 

FIGURE 1 illustrates a high-level block diagram of 
an exemplary distnbuted network with which the 
principles of the present invention may be suitably 
used to provide either a central or a peripheral proxy 
system for allowing users to provide substitute iden- 
tifiers to server sites of a network to browse anon- 
ymously; 

FIGURE 2 illustrates a block diagram of an exem- 
plary sub-network of the distributed network of FIG- 
URE 1 showing a central proxy system that includes 
each of a user site, a csntral proxy system and a 
plurality of illustrative server sites according to the 
principles of the present invention; 
FIGURE 3 illustrates an exemplary full screen win- 
dow of a proxy system according to the principles 
of the present invention; 

FIGURE 4 illustrates an exemplary full screen win- 
dow of an interface of a particular server site ac- 
cording to the principles ol the present invention; 
FIGURE 5 illustrates a block diagram of an exem- 
plary sub-network of the distributed network of FIG- 
URE 1 showing a peripheral proxy system that in- 
cludes each of a user site, a central proxy system 
and a plurality of illustrative server site according to 
the principles of the present invention; and 
FIGURE 6 illustrates a block diagram of an exem- 
plary sub-network of the distributed network of FIG- 
URE 1 including each of a user site, a central proxy 
system and a plurality of illustrative serv r sites ac- 
cording to an exemplary marker proxy embodiment 
of the present invention. 



DETAILED DESCRIPTION 



Referring initially to FIGURE 1 . illustrated is a high- 
level block diagram of an exemplary distnbuted network 
s (generally designated 1 00) with which the principles of 
the present invention may be suitably used to provide 
either a central or a peripheral proxy system. Distributed 
network 100 illustratively includes a plurality of compu- 
ter sites 105 to 110 that are illustratively associated by 
to internet 115. Internet 115 includes the World Wide Web, 
which is not a network itseii, out rawer an •aostraction- 
maintained on top of Internet 115 by a combination of 
browsers, server sites. HTML pages and the like. 
According to the illustrated embodiment either 
is proxy system provides substitute identrfiers to one or 
more of a plurality of server sites 110 of network 100. 
The substitute identifiers allow user sites (and-hence. 
users (not shown)) to browse the server sites anony- 
mously via the proxy system. Consistent use of the 
zo same (site-specific) substrtute identrfiers at a particular 
server site oersonaiizes Drowsing, ror purpose oi »:us- 
trauon. sue tuaa i» «~ mroughout this document 
to be a user site, site 110a is assumed to be a central 
proxy site, and site U0g is assumed to be a server sit . 
25 Those of skill in the pertinent art will understand that 
FIGURE 1 is illustrative only, in other configurations, any 
of sites 105 to 110 may be a user, a central proxy or a 
server site, or a combination of at least two of the sam . 
'Server site." as the term is used herein, is construed 
30 broadly, and may include any site capable of being 
browsed 

Although the illustrated embodiment is suitably im- 
plemented for and used over Internet 1 1 5, the principles 
and broad scope of the present invention may be asso- 
35 ciated with any appropriately arranged computer, com- 
munications, multimedia or other network, whether 
wired or wireless, that has server sites capable of being 
browsed by users based on identifiers received into the 
server sites and that are personal to the users. Further. 
40 though the principles of the present invention are illus- 
trated using a single user site 105a. a single central 
proxy site 110a and a single server site H0g, altemat 
embodiments within the scope of the same may include 
a plurality of user, central proxy or server sites. 
45 Exemplary network 1 00 is assumed to include a plu- 
rality of insecure communication channels that operate 
to intercouple ones of the various sites 105 to 110 of 
network 100. The concept of communication channels 
ia known and allows insecure communication of infor- 
so mation among ones of the interrupted sites (the Inter- 
net employs conventional communication protocols that 
are also known). A distributed network operating system 
xecutes on at least some of sites 105. 110 and may 
manage the insecure communication of information 
55 therebetween. Distnbuted network operating systems 
are also known. 

According to exemplary central proxy system 11 oa 
of the present invent* n, which is discussed in detail with 
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reference to FIGURE 2. substitute identifiers rrwy be 
suitably indirectly provided by central proxy system 
1 10a to seiver site llOg (recall that substitute identifiers 
allow user site 105a to browse server site llOg anony- 
mously). One or more site-specific substitute .dangers 
are suitably provided or constructed from data specmc 
to user lOSae.therby user 1 05a or central proxy system 
1 10a Central proxy system 110a includes-a plurality of 
executable routines - a first routine processes site-spe- 
cific substitute tdentifiers constructed from data specific 
to user 105a (site-specific substitute identifiers may be 
suitably constructed by a central proxy site 110a, such 
as by a routine associated with central proxy system 
1 10a)- a second routine transmits the substitute identi- 
fiers to server site H0g (possibly via a plurality of mter- 
mediate user and server sites 105. 110) and thereafter 
retransmits browsing commands received from user site 
105a to server site UOg; and a third routine removes 
(and possibly substitutes) portions of the browsing com- 
mands that would identify user site 105a to server site 
1 10g (and the plurality of intermediate user and server 
sites 105. 110). The term 'routine,' as used herein, is 
construed broadly to not only include conventional 
meanings such as program, procedure, object task, 
subroutine, function, algorithm, instruction set and the 
like, but also sequences of instructions, as well as func- 
tionally equivalent firmware and hardware implementa- 
tions. . . . 

Alternatively, according to an exemplar/ peripheral 
proxy system (generally designated 1 20) of the present 
invention, which is discussed in detail with reference to 
FIGURE 5. that is designed for use with network 100 
again having a server site UOg capable of being 
browsed by a user site 105a based on substitute tden- 
tifiers received into server site UOg and that are per- 
sonal to user site 105a. Exemplary peripheral proxy sys- 
tem 120 includes first and second executable routines. 
The first routine, which may advantageously reside in 
user site 105a or, alternatively, in central proxy system 
110a constructs a particular substitute identifier from 
data particular to user site 105a. The second routine, 
which may also advantageously reside in user site 105a 
or. partiayy. in user site 105a and central proxy system 
1 1 0a. transmits me particular substitute identifier to cen- 
tral proxy system 110a Central proxy system 110a then 
retransmits the particular substitute identifier to server 
site UOg and thereafter communicates (e.g., transmits, 
receives, etc) information (e.g., browsing commands, 
data, etc.) between user site 105a to server site UOg. 

According to the illustrated embodiment, peripheral 
proxy system 120 differs from central proxy system HOa 
by the location of execution of the first and second rou- 
tines in the illustrated central pr xy embodiment, alt 
routines are executed by central proxy system 110a, 
which means that all users must send user specific in- 
formation to central pr xy system 110a In the illustrated 
peripheral proxy system 120. the first and second rou- 
tines may be executed in a proxy subsystem associated 



with user site 105a. In one advantageous embodiment, 
user system lOSa's user specific information (e.g.. user 
identification, passwords, e-mail addresses, telephone 
numbers, credit card numbers, postal address, etc.) re- 
s main local, which will typically be more secure than cen- 
tral proxy system 110a. 

As set forth hereinabove, an ISP, such as NET- 
COM®, or a networking service, such as AMERICA ON- 
LINE® or COMPUSERVE®, can advantageously em- 
io ploy either exemplary proxy system (central or periph- 
eral) to provide anonymous communication (transmis- 
sion, reception, retransmission, etc) of browsing (e.g. 
accessing, selection, reading, etc.) commands between 
user sites and server sites, 
is An important aspect of the above-identified embod- 
iments is the use of site-specrfic substitute identifiers to 
eliminate the need for a user to have to 'invenCa new 
-user name and password for each server site which re- 
quires the establishment of an account (e.g., the NEW 
20 YORK TIMES, the WALL STREET JOURNAL the 
NEWSPAGE® and ESPN® sites). The illustrated em- 
bodiment generates secure substitute identifiers (e.g.. 
alias user names, passwords, e-mail addresses, postal 
- addresses, credit card numbers, etc.) that are distinct 
25 and secure for the user. The user provides one or more 
character strings (which may be random) once, which : 
may advantageously be at the beginning of a proxy sys- 
tem session. The proxy system uses the same to gen- 
erate one or more secure site-specific substitute identi- 
30 Tiers for the user - thereby freeing the user from the bur- 
den of inventing new and unique identifiers for each 
server site. Moreover, the user no longer has to type 
s~uch secure identifiers eve™ rim« the user returns to a 
particular server site requirmg.ao.acc.ount: insteao tne 
38 proxv system provides the approbate secure idemiS-re 
automatcalry. * In an advantageous embodiment t 
'descnoea me proxy system filters other identifying in- 
formation (e.g.. HTTP headers, etc.) sent by user site 
105a while browsing server sites. It is important to k ep 
40 in mind that server sites cannot typically distinguish be- 
tween information supplied by proxy system 110a and 
information supplied by user site 105a - central proxy 
system 1 10a being transparent to carver sites. 

In one embodiment, the substitute identifiers are 
45 transmitted on demand from servers, without any inter- 
vention from the user. This process automates the re- 
sponse to a "basic authentication request; which is £ 
common procedure used by servers to identify users on 
the World Wide Web. In this way, the user is not bur- 
so dened by this activity. 

According to the illustrated embodiment, to produce 
substitute identifiers the proxy system may suitably 
maintain secret information (secret to at least one serv- 
er-site) in the form of user definable character strings. 
55 These character strings may be user defined and may 
be maintained in some c nventional manner, such as 
storing the same to memory assncia^ "*h the proxy 
system7or, advantageously, at unction ^escribed here- 
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inatter) may be used to produce me subeutute idenufl- 
er, at least ,n part, in aviation with the secret info, - 
maiion. According to one approach, the proxy syrorn 
, , .«.„ ,.a.ns a conventional data structure to maintain me 
same such as a database, data repository, an array. 
atc or even an alias table, mat may be used to map 
user information to their substrtute. or alias. identifiers. 

According to one advantageous embodiment, me 
user delivers its own secret (user definable character 
string) at the beginning ot each session, wheh is used 
by the proxy system to generate, directly or indirectly, 
the substitute identifiers tor me session. This option has 
the advantage that a user has me flexibility to choose 
different proxies at different times and mere .s no per- 
manent seer* information stored on the proxy system 
in another ..»»«~ -..—nent. the data comprise, at 
least two secret user definable character stmgs. where- 
in the first routre processes substitute identifiers con- 
structed in part from the at least two secret user defin- 
able character strings. Ot course, alternate suttable ap- 
proaches may be used to accomplish me purpose ot 
providing anonymous personalized web browsing ac- 
cording to me present invention. 

Turning now to FIGURE 2. illustrated « a block di- 
agram of an exemplary sub-network (generally desig- 
nated 200) of distributed network 100. wherein sub-net- 
work 200 includes user site lOSa. central proxy system 
110a and server site nog (shown among a plurality of 
other illustrative server sites 1 10 of Internet 115) accord- 
ing to the principles of me present inventon. 

For purposes of illustration, assume that user site 
lOSaissuesacommandtoaccess server site 1l0g(the 
NEW YORK TRIBUNE web-site (*NYT*)). Such access 
would be via central proxy system (server site) 110a. 
which ensures that user specific data concerning user 
site 105a is not communicated over the remainder of 
Internet 115- there may be HTTP header fields, for ex- 
ample, mat include data about user site 105a that cen- 
tral proxy system 110a filters. 

Exemplary central proxy system 110a advanta- 
geousy executes on a server site mat is not associable 
with user site 105a by other sites over Internet 115. Ac- 
cording to an advantageous embodiment central proxy 
system 110a may be suitably distant, bom physically 
and logically, from user site 105a - user site 105a does 
not access server-sites directly because me server- 
sites can determine bom physically and logically the In- 
ternet Protocol (1P1 - address of the machine mat 
made me request 

According to me exemplary embodiment, if user site 
1 0Sa's command to access NYT 1 lOg is user site 1 0Sa's 
first request of the current session, central proxy system 
110a will recognize the same, and display its own 
HTML-document, possibly on user site lOSa's browser. 

Turning momentanly to FIGURE 3. illustrated is an 
exemplary lull screen window of a conventional browser 
300 ("NETSCAPE®') displaying an inlaid interface 305 
(*JANUS SM *) of central proxy system 1 10a according to 



me principles ot the present invention. Exemplary inter- 
face 305 prompts a user of site 105a to enter user de- 
finable character strings, which according to me .llus- 
trated embodiment includes identification CIO*) data 
s and secret ['ST) data supplied by the user. Each user 
initially supplies a user ID (e.g.. e-mail address) and a 
user S to allow one or more substitute identifiers to be 
chosen or constructed (site-specific substitute identifi- 
ers are suitably constructed from data specific to user 
to 105a and a particular server site which user 105a in- 
tends to browse). Alternatively, otheror further data sup- 
plied by the user may be appropriate in some applica- 
tions (e g., credit card numberj»slfl«caaddreee. nan- 
die, etc ). 

is " According to me advantageous embodiment, sub- 
stitute identifiers may be constructed (generated) usinc 
a suitable (unction that includes the features of aeonym 
ity consistency, collision resistance and uniqueness, 
protection from creation of dossiers, and single secret 
20 and acceptability. Concerning anonymity, me identity ol 
me user should be kept secret; mat is. a server site, or 
a coalition of sites, cannot d..-^*- the true .den..* ol 
the user from its substitute .oentiffcaTion. Concerning 
consistency, tor eacn server-*.*, -aw. -ser should be 
rs provided with some substitute identifiers allow ing the 
server site to recognize me user given We samerttwre- - 
by enabling the server site to personalize the user's ac- 
cess and me user can thus be 'registered* at the server 
sits. 

30 with respect to collision resistance and unique- 
ness, given a user's identity and a server site, a m.rd 
party should not find a different user identity which re- 
sults in me same alias (impersonation) for mat serv r 
site As to protection from creation of dossiers, the ueer 
35 is likely to be assigned a distinct alias (substitute .den- 
tifier) lor distinct seiver sites, so that a coali«or .of sow 
is unable to leam a usefs habits and build a user profile 
(dossier) based on the set of sites accessed by me us r 

Lastly, single secret (user definable character string) 
40 and acceptability provides, given me user's identrty and 
a single secret, automatic generation of secure, distinct 
aliases (substitute identifier) as needed for each s rv r- 
site. transparent to the user - from me usefs perspec- 
tive the user definable character stnng is equivalent to 
4S a universal password lor a collection of «""»^" e »; 

According to this embodiment, a user ID is rrupt 
(not secret) t an adversary (one or more ^server s ,tes 
desirous of identifying me user). £ has been able^ t 
read the user's secret S Alternatively, a user ID is par- 
se tially opened- (not luMy secure) with respect AO a partly 
u Jserver site. w. if £has been able to read the alas 
password; a user ID is 'opened- (not secure) . r - 
spect to w. if it is partial* opened and £ has been able 
to re*te the a.»s password together wrih 
S5 name to me user ID. Assuming mat unc,»n TQ£ 
de.inedas.ol.ows. 7T.user ID W*'!^ 
stitute username. passwords;. hence. T(ri. * S) - (Un 
Pwy and Tu(id.w.S) = U* and TpOd.w.S) = Pv* 
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and 



Tu (id, w. S) = Uw= h(enc(k,id. f(s v w))) 



Tp(id,w,S) = P*= h(enc(kM t(s r w))) t 



wherein 

id 
w 

// 
S 

xor 

f(k,x) 



enc(k.x,r) 
M) 

des(KLx) 
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is 



denotes user site lOSa's ID {e.g., ©-mail 
address); 

denotes server arte HOg*s domain 
name; 

denotes the logical function of concate- 
* nation; 

denotes k/Zs/Zs^ a user site 105a defin- 
able character string; 
denotes the Boolean function of exclu- 
sive or, 

denotes a suitably arranged function for 
generating pseudo-random values, and 
may be selected from a group of func- 
tions, such as des(k.h(x),x); 
denotes rZZ(f(k,r)xor x); 
denotes a collision-resistant hash func- 
tion, such as MD5; and 
denotes OES encryption in cipher block 
chaining ( # C8C-) mode, which are 
known, of information x using key /rand 
an initialization vector L 



Both Tu() and Tp() may suitably truncate the result of 
the hashing function. h(). to fit the longest allowed user 
name or password for the particular server site. 

Relating this function, T(), to tn « above-identified 
and described features yields the following: 

1 . £ can only guess at the identity, ID, of a user 
which is onry partially opened and uncorrupted. 

2. T() is a deterministic function and £ can onry 
guess at the alias-password of a user which is un- 
opened and uncorrupted. 

3. Given wand an uncorrupted and unopened user 
ID. £ can only guess at the ID and S 

4. For an uncorrupted user ID and w. T(id,w,S)4oes 
not give to £information about T(id.w\ S)\ot any W 
not equal to w. 

5. The range of T(ki,w,S) is such that it is accepted 
by server sites as a valid usemame and password 
-- implying a limited length string of printable char- 
acters. 

Those skilled in the pertinent art will understand that al- 
ternate suitable f uncti ns may replace or b used in as- 
sociation with the foregoing according to the principles 
of the present invention. 

Use of the foregoing exemplary substitute identifier 
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constructing function, and for that matter, any other suit- 
ably arranged function for constructing substitute iden- 
tifiers accordfcg to the present invention, operates t 
foster the above-identified features of anonymyzed and 
personalized browsing. The present invention provides 
the ability to anonymously visit a server site a first time 
via site-specific substitute identifiers, to interact wrth the 
server site as a function thereof, and to re-visit the serv-^ 
er site on subsequent occasions using the same site- 
specific substitute identifiers, interacting with the server 
site as a return customer - possibly receiving person- 
alized attention as a function of the recognized sub- 
stitute identifiers. Simply stated, the substitute identify 
ers are constructed consistently, and in advantageous 
embodiments in a site-specific manner. 

In one embodiment of the present invention, the 
substitute identifiers include site-specific substitute user 
names and site-specific substitute user passwords. 
•Site-specific* means that the names and passwords 
vary from site to site, depending perhaps upon the ad- 
dress of each site. This may complicate the task of cre- 
ating a dossier relative to a given user. In a related em- 
bodiment, the first routine constructs site-specific sub- 
stitute e-mail addresses for user site 1 05a from the site- 
specific data. In an alternate advantageous embodi- 
ment, the first routine constructs the site-specinc sub- 
stitute identifiers from addresses of the server sites - of 
course, site-specific information other than the address 
of the site may be used to construct the substitute iden- 
tifiers. 

If this is the first contact of the user with central 
proxy system 1 1 0a. then the user may suitably generate 
a user defined character string (secret) at random and 
store the same locally. ,n advantageous embodi- 
ment, the first routine processes substitute identifiers 
that may be constructed by applying pseudo-random 
and hash functions (e.g.. T() function set forth herein- 
above) to the data received from user site 105a - those 
skilled in the art are familiar with the structure and op- 
eration of pseudo-random and hash functions and their 
utility. The important aspect of this and related embod- 
iments is that the present invention is adapted to take 
advantage of current and later-discovered functions to 
enhance anonymity and security. 

Alternatively, if this is the first contact of a current 
session then the user may suitably enclose the stored 
user defined character string to central proxy system 
1 1 0a. Nonetheless, browser 300 sends interlace 305 to- 
gether with a user's I D and other user definable charac- 
ter string to central proxy system 110a. Central proxy 
system 110a receives this information and may use the 
same for the rest of the session. 

In one advantageous embodiment, the first routine 
receives or generates session tags that are added to the 
browsing commands, central proxy site 110a employing 
the session tags to associate th substitute identifiers 
with each of the browsing c mmands - the session 
tags, while not necessary to the present invention, pro- 
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vide one manner that allows user site* 105a t supply 
their data only once, usually at the beginning of each 
session. In a related advantageous embodiment, cen- 
tral proxy site 11 Oa includes a data store that is capable 
of containing session information specific to user sites 
105a and accessible by server sites HOg. 

tn one advantageous embodiment, the second rou- 
tine descnbed above, which may be local to the central 
proxy system 11 Oa, transmits the substitute identifiers 
to server site nOg. tn a further advantageous embodi- 
ment, the second routine transmits the substitute iden- 
tifiers to server site 1 1 0g based on alphanumeric codes 
supplied in fields of web-pages 305 by the users. The 
alphanumenc codes prompt the second routiie as to 
how and where to locate the substitute identifiers, re- 
moving the users from actual* having to provide the 
substitute identifiers directly. Of course, the alphanu- 
meric codes may be supplied in a different form. In a 
related, more specific embodiment, the users manually 
place the alphanumeric codes in the fields of web-pages 
305 Of course, the present invention encompasses in- 
telligent parsing of the fields of web pages 305 to deter- 
mine automatically how and where the alphanumenc 
codes should be located. Those skilled in the art are fa- 
miliar with the Internet in general, the World Wide Web 
in particular and the way in which the structure of the 
World Wide Web promotes 'browsing/ The present in- 
vention finds apparent utility in conjunction with the In- 
ternet and the World Wide Web. however, those skilled 
in the art will readily understand that the present inven- 
tion has advantageous application outside of the inter- 
net as well in any suitably arranged computer, commu- 
nications, multimedia or tike network configuration. 

Nonetheless, after central proxy system 110a ob- 
tains the required information about the user, the above- 
described third routine removes portions of the browsing 
commands that would identify user site 105a to server 
site HOg. and forwards user site lOSa's original request 
for access to NYT-site HOg (e.g., using an HTTP get- 
request) - thereby selectively excluding from the re- 
quest header-fields or the like that may identify the user. 

If this is the user's first visit to NYT-site i lOg, then 
it may suitably provide the user with an electronic form 
prompting, for example, tor a user name, a password 
and an e-mail address in order to establish an account. 
Turning momentarily to FIGURE 4, illustrated <s exem- 
plary full screen window of conventional NETSCAPE® 
browser 300 displaying an inlaid interlace 400 (THE 
NEW YORK TRIBUNE") of server site 110g according 
to the principles of the present invention. 

Now. instead of having to provide a unique user 
name and a secret password, the user may suitably pro- 
vide thes fields with simpl escape strings (e.g., "<uu- 
uu>*and'<pppp>') More specifically, the alphanumenc 
codes above-described may be suitably arranged into 
such escape sequences those skilled in the art are 
familiar with escape sequences. These strings are rec- 
ognized by central pr xy site 11 0a which uses user site 



lOSa's user name and secret (user M finable character 
string) along with the domain-name of the NEW YORK 
TRIBUNE and computes substitute identifiers (e.g., ali- 
as user name. u3. and alias password, p3, in FIGURE 
s 2. etc. ). such as by function T(ID, seaet, domain-name). 
The site-specific substitute identifiers may be sent to a 
particular server site by central proxy system 110a using 
- the same mechanism that the user would submit input 
to the particular server site. In other words, proxy system 
to 110a receives information communications, such as 
browsing commands, from user site 105a intended for 
server site HOg. and retransmits the same to server site 
11 0g » central proxy system 11 0a functioning as a trans- 
parent conduit for ancnymizing and. through consistent 
is generation of site-specific substitute identifiers, person- 
alizing server site browsing. 

On a subsequent visit to NYT-site HOg. wAich will 
require that user site t05a authenticate itself (response 
to the first get-request forwarded to NYT-site HOg by 
20 central proxy system 1 1 0a). central proxy system 1 1 0a 
may be suitably operative to automatically recompute 
u3 and p3 and reply by sending these values back to 
NYT-site HOg (re-sending the get-request). User site 
105a is thereby freed from the burden of remembering 
2$ the user name and password of its NYT-site HOg ac- 
count. To summarize, the protocol, which may be suita- 
bly executed without involving user site 105a includes: 
(1 ) a step of NYT-site server 1 1 0g requesting an authen- 
tication from central proxy site 110a by failing the first 
M get request. (2) central proxy site 110a recomputing th 
substitute identifiers (e.g., (alias-user name, alias-pass- 
word) = T(ID. seaet, domain-name), or the like); (3) cen- 
tral proxy site 110a replying by re-sending the get with 
the same substitute identifiers. 
3S The substitute identifiers are consistent in the sense 
that the substitute identifiers are presented on subse- 
quent visits to the same server site by user 105a. Con- 
sistent substitute identifiers allow server sites to recog- 
nize returning users and provide personalized s rvce 
40 to them, in one embodiment, the second routine trans- 
mits the substitute identifiers on demand from servers, 
without any intervention from user 105a. This proc ss 
automates the response to a 'basic authentication re- 
quest.* when is a common procedure used by serv rs 
45 to identify users 105a on the World Wide Web. In th» 
way, user 105a is not burdened by this activity. In this 
embodiment the second routine may have to re-trans- 
mit the original user request along with the substitute 
identifier to the server. 
so it should be noted that many servers require a vaw 
e-mail address for creating an account ~ users cannot 
use their true e-mail address for this purpose since <t 
uniquely identifies them. The proxy system I the 
present .nvention may suitably solve this problem by 
ss creating an alias e-mail address for user sit lOSaand 
store e-mail in ah electronic mailbox. In on advanta- 
geous embodiment, central pr xy system 110a includes 
a data store capable of containing e-mail destined tor 
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the use*, thereby preventing server s«es ^ 
,ng users directly. Contrary to pr.or an anonymous re- 
mile's m. present embodiment a not reputed to rely 
craving to store any translation tables 
torg. and vulnerable) from alias to true user denser, 
* lentralproxy system 110a. Triisembod.men xm«£ 
entty securer than prior art approaches as centra I P«*V 
Lstem lite is not required to mainta* and protect a 
translation table and cannot be forced to reveal the con- 
tents of any such table to a third patty. 

in an alternate advantageous embodiment centtal 
proxy system 1 05a further includes a data store capabe 
of containing e-mailboxea tor the users and specie : to 
the server sues. According to this embodiment, each us- 
er has a mailbox tor each site that has generated mart 
destined for the user. Rather than compromising secu- 
rity by allowing automatic remaUing to the user the 
present embodiment may store e-mail for expleit re- 

trieval by each user. 

For each server, it may be advantageous for users 
to have a separate *«nail box. possibly identified by us- 
er-substitute identifiers. This approach may allow for 
suitable disposal of e^nail messages received from the 
third-parties (e.g.. *iunK e-marl') as well as the option of 
selective disposal of e-mail messages. 

in one advantageous embodiment, each of ^mail- 
boxes has a key associated therewith, the key beng a 
lunction of the data and an index number. The use of 
keys with .^mailboxes is known. In anothe , ^advanta- 
qeous embodiment, central proxy system 110a further 
comprises a computer-executable routine that, grven 
the substitute identifiers, collects <wnail destmed for the 
users and contained within a plurality of site-specific e- 
mattboxes. This embodiment may suitably employ a 
mail-collecting routine that automatically locates user 
site lOSa's various mailboxes and retrieves the mail 
therefrom once the user has supplied the appropnate 
data. 

According to one advantageous embodiment, cen- 
tral proxy system 110a includes functionality necessary 
to support electronic payment, the users employ elec- 
tronic payment information to engage * anonymous 
commerce with the server sites. To facilitate the same, 
central proxy system 110a may include a c^ stc*e«- 
pable ol contamrg such electronic payment informa- 
tion Further, substitute identifiers may be constructed, 
at least in part, using credit/debit card numbers, bank 
branch or account numbers, postal addresses, tele- 
phone numbers, tax identification numbers, socal se- 
curity numbers or the like. Various methods for achiev- 
ina anonymous commerce are known. 

By way of further example, an ever increasing 
number of sites require a valid credit card number as 
part of establishing an account, so that such srtes may 
charqe the user for their services (e.g., WALL STREET 
JOURNAL®. ESPN . etc.). While the above-descr.bed 
proxy system provides substitute identifiers to Ire users 
trom remembering these items and by prov-ding a guard 



on (involuntary) data flowmg to the web-site, it may «ot 
provide complete anonymity to a user wh has provided 
a credit card number to a site. One solution, desenbed 
briefly above, requires central proxy system nOatopro- 
s vide its own valid credit card number to the requesting 
site and then collect money Irom its users, it central 
proxy system 105a is incorporated into an Internet pro- 
vider, lor example, such as AMERICA ONLINE®, then 
this relationship may already exist, 
to Alternatively, central proxy system 110a may be 
known and trusted by other sites, thereby allowing cen- 
tral proxy system 110a to generate an alias credit card 
number and expiration date, and then to authenticate 
this data and send it to a requesting site. The site can 
is then check that this number indeed ohginates from een- 
tral proxy system 110a and hence accepts the same as 
valid with the understanding that it can collecttee mon- 
ey from central proxy system 110a. There no longer is 
a need to send a -real* credit card number between cen- 
20 tral proxy system 110a and the sites. 

It is important to realize that the various features 
and aspects of the embodiments above-desenbed may 
also be suitably implemented in accordance with the pe- 
ripheral proxy system described with reference to F G- 
25 URE 1 More particularly, turning momentanty to FIG- 
URE 5 there is illustrated a block diagram of an exem- 
plary sub-network (generally designated 500) of the dte- 
thbuted network ot FIGURE 1 showing a penpheral 
proxy system 120 that includes each of user site 105a. 
30 centra, proxy system 110a and NYT-site 110 9 (shown 
among a plurality of other illustrative server sites 110 ol 
Internet 115) according to the principles of the present 

invention. ^_ . . 

Peripheral proxy system 1 20. as set forth above. «v 
M eludes first and second executable routines. Th first 
routine, which advantageously resides in user site lOSa. 
constructs substitute identifiers from data particular to 
user site 105a. The second routine; which also illustra- 
tively resides in user site i05a. transmits the substitute 
40 identifiers to central proxy system 110a. Central proxy 
system 110a then retransmits the substitute identifiers 
to server site H0g and thereafter communicates (e.g., 
transmits, receives, etc.) information (e.g.. browsing 
commands. data. stc.)between usersite ^Satoserver 
45 site nog. This second configuration is particularly ad- 
vantageous when users may not trust central proxy sys- 
tem 1 ?0a or the communication lines therebetween, and 
want to keep user identifications and other secret infor- 

so "* TSwxy system 510 may be used to maintain 
the same, and may use the user's «-"*^«* °£ 
er information to compute the substitute 
calproxy system SlOcommunicates with acentral proxy 
1 Sa. wheh may be used to forward conjnun, 
« cationtoserversandhandlee-mail. In 

centra, proxy system 110a communicates c< ^ 
,er-execu«able local routines associated with th users 
the local routines constructing the site-speafic subst, 
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tuta identrfiers from data specific to the users. Again, 
central proxy system 110a may rely on distributed rou- 
tines, kxal to each user, that generate the substitute 
identifiers and transmit the same to central proxy system 

Turning now to FIGURE 6. illustrated ts a btock di- 
agram ol an exemplary sub-network (generally desig- 
nated 600) of trie distnbuted network 1 00 including each 
ol user site 105a, central proxy system 110a and a plu- 
rality of illustrative server sitae 110b. 110c. andilOg ac- 
cording to an exemplary marker proxy embodiment ol 
the present invention. As described above, the central 
proxy system of the present invention may be employed 
in at least two configurations, namely, a central proxy 
configuration (FIGURE 2) or a penpheral proxy config- 
uration (FlhURE 5). 

in the central proxy configuration, central proxy sys- 
tem 1 10a computes substitute identifiers. An implemen- 
tation of this configuration may require user site 105a to 
provide one or more user definable character strings (a. 
g,, user identification, password and other secret infor- 
mation) once, and central proxy system 110a wil there- 
after generate the substitute identifiers as needed. Cen- 
tral proxy system 1 1 0a may associate the user definable 
character strings with a senes of HTTP requests gener- 
ated by the same user site 1 05a - the central proxy sys- 
tem 110a may associate each request with a session, 
that contains all communication between a specific user 
site 105a and the central proxy system 110a. 

The HTTP protocol however does not generally di- 
rectly support sessions or relationships between re- 
quests. More particularly, each HTTP request may be 
sent a new socket connection, and there is no required 
HTTP header field that can link successive requests 
from the same user. 

It should be noted that the session identification is 
typically not necessary in the peripheral proxy configu- 
ration since central proxy system 110a may forward 
communications without any computation. In a typical 
embodiment, peripheral proxy system 120 retransmits 
browsing commands received from user site 105a to 
central proxy system 1 1 0a. which then retransmits such 
commands to server site H0g. According to one em- 
bodiment, peripheral proxy system 120 removes and, 
possibly, substitutes portions of the browsing com- 
mands that would identify user site 105a to server site 
H0g. 

In one advantageous embodiment user site 105a 
runs a marker program 605 locally. Marker program 605 
operates to tag user site lOSa's requests wrth a session 
tag, t Central proxy system 1 1 0a uses this tag to identify 
requests belonging to a particular one of a group of us- 
ers. Marker program 605 may be implemented t store 
user site lOSa's session tag and add this tag t all re- 
quests, and central proxy system 1 1 0a removes the ses- 
sion tag bel re forwarding the request to some server 
site. The session tag should be unique, as no two users 
should have the same tag. 



It should be noted that NETSCAPE uses 'cookies. 
• which are a mechanism for storing and retrieving long 
term session information (the use of •cookies' concep- 
tually is known). The cookies are generated by the 

s browsed servers and are associated wrth a specific do- 
main name. Browsers 300 submit the cookies associat- 
ed wrth a specific domain name whenever the user re- 
visits that domain. Servers typically only generate cook- 
ies associated with their domain. Cookies provide an 

io easy mechanism to keep session information, such as 
the contents of a 'shopping cart/ account name, pass- 
word, event counters, user preferences, etc. 

Some companies, use cookies extensively to track 
users and their habits. Since the proxy systems of the 

is present invention present substitute identifiers t 
browsed servers, the servers cannot learn true user 
identities. Thus all of the information that the seTver may 
store in its cookie relates to some 'alias persona,' and 
not to the true user. Whenever the user returns to the 

so same server, it will present the same substitute identifi- 
ers, and may also submit the cookie that the server gen- 
erated earlier for this alias persona. 

It is apparent from above, that the present invention 
provides, for use with a network having user sites and 

25 server sites, wherein the server sites are capable of b - 
ing browsed by the user sites based on identifiers re- . 
carved into the server sites and personal to the user 
sites, both a central and a peripheral proxy system for 
providing consistent substitute identifiers to the serv r 

oo sites that allow the user sites to browse the server sit s 
in an anonymous and personal fashion via the proxy 
system. 

An exemplary central proxy system includes: (1 ) an 
executable first routine that processes site-specific sub- 
as stitute identifiers constructed from data specific to the 
user sites, (2) an executable second routine that trans- 
mits the substitute identifiers to the server sites and 
thereafter retransmits browsing commands received 
from the user sites to the server sites and (3) an execut- 

40 able third routine that removes (and possibly substi- 
tutes) portions of the browsing commands that would 
identify the user sites to the server sites. 

An exemplary peripheral proxy system include : (1 ) 
an executable first routine that constructs a particular 

45 substitute identifier from data received from a particular 
user site and (2) an executable second routine that 
transmits the particular substitute identifier to a central 
proxy system, the central proxy system then retransmit- 
ting the particular substitute identifier to the server sit 

so and thereafter retransmitting browsing commands re- 
ceived from the particular user site to the server site. 

Although the present invention has been descnbed 
in detail, those skilled in the art sh ukJ understand that 
they can make various changes, substitutions and arter- 

ss ations herein without departing from the scope of the 
invention in its broadest form. More particularly, it should 
be apparent to those skilled in the pertinent art that the 
above-described routines are software -based and exe- 
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cutable by a suitable conventional computer system/ 
network. Alternate embodiments of the present inven- 
tion may also be suitably implemented, at least in part, 
in firmware or hardware, or some surtable combination 
of at least two of the three. Such firmware-or hardware 
embodiments may include mutti. parallel and diatnbuted 
processing environments or configurations, as well as 
alternate programmable logc devicee. such as pro- 
grammable array logic ('PALs') and programmable log- 
ic arrays ('PLAs'). digital signal processors ('DSPs'). 
Held prograrnmable gate arrays ('FPGAs'), application 
specific integrated circuits ('ASICs'), large scale inte- 
grated circuits ('LSIs'), very large scale integrated cir- 
cuits (' VCSIs*) or the like - to form the various types of 
modules, circuitry, controllers, routines and systems de- 
scribed and claimed herein. 

Conventional computer system architecture is more 
fully discussed in The Indispensable PC Hart/warn 
Book, by Hans-Peter Messmer, Addison Wesley (2nd 
ed. 1995) and Computer Organization and Architecture, 
by William StaJlings. MacMillan Publishing Co. (3rd ed. 
1993); conventional computer, or communications, net- 
work design is more fully discussed in Data Network De- 
sign, by Darren L Spohn, McGraw-Hill. Inc. (1993); and 
conventional data communications is more fully dis- 
cussed in Voice and Data Communications Handbook 
by Bud Bates and Donald Gregory, McGraw-Hill. Inc. 
(1 996) Data Communications Principles, by R 0. Gittin. 
J F. Hayes and S. B. Weinstein. Plenum Press (1992) 
and T7» Irwin Handbook of Telecommunications, by 
James Harry Green. Irwin Professional Publishing (2nd 
ed. 1992). 



Claims 



A central proxy system for coupling to a network and 
for allowing users to browse server sites on said 
network anonymously via said central proxy sys- 
tem, said central proxy system comprising: 

a computer-executable first routine that proc- 
esses site-specific substitute identifiers con- 
structed from data specific to said users; 
a computer-executable second routine that 
transmits said substitute identifiers to said serv- 
er site* and thereafter retransmits browsing 
commands received from said users to sad 
server sites; and 

a computer-executable third routine that re- 
moves portions of said browsing commands 
that would identify said users to said server 
sites. 

The central proxy system as recited in Claim i 
wherein satd data comprises identification data and 
a user definable character stnng supplied by said 
users. 



3. The central proxy system as recited in Claim i 
wherein said site-specific substitute identifiers com- 
prise site-specific substitute user names and site- 
specific substitute user passwords. 

4. The central proxy system as recited in Claim 1 
wherein said first routine constructs site-epeciflc 
substitute electronic mail addresses lor said users 
from said data. 

5. The central proxy system as recited in Claim 1 
wherein said first routine constructs said site-spe- 
cific substitute identifiers Irom addresses of said 
server sites. 

6. The central proxy system as recited in Claim 1 
where* said server sites are World Wide Web sitee 
capable of presenting web pages to said users, said 

second routine transmitting said substitute identifi- 
ers to said server sites under direction of said users. 

7. The central proxy system as recited in Claim 1 
wherein said second routine transmits said substi- 
tute identifiers to said server sites based on alpha- 
numeric codes supplied in web page fields by said 
users. 

$. The central proxy system as recited in Claim 7 
wherein said alphanumeric codes are arranged in 
escape sequences. 

«. The central proxy system as recited in Claim 7 
wherein said users manually place said alphanu- 
meric codes in sad web page fields. 

10. The central proxy system as recited in Claim 9 
wherein said central proxy system communicates 
with computer-executable local routines associated 
with said users, said local routines constructing said 
40 site-specific substitute identifiers from data specific 
to said users. 
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11. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 
electronic mail destined for said users. 

12. The central proxy system as recited in Claim 1 
wherein said first routine processes substitute iden- 
tifiers constructed by applying pseudo-random and 
hash functions to said data received from said us- 
ers. 

10. The central proxy system as recited in Claim 1 fur- 
ther comprising a data st re capable f containing 
electronic mailboxes for said users and specific to 
said server sites. 

14. The central proxy system as recited in Claim 13 
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wherein each of said electronic mailboxes has a key 
associated therewith, said key being a function of 
said data and an index number. 

15. The central proxy system as recited in Claim 1 fur- 
ther compnsing a computer-executable routine 
that, given said substitute identifiers, collects elec- 
tronic mail destined for sad users and contained 
within a plurality of site-specific electronic maitoox- 
es 

16. The central proxy system as recited in Claim 1 
wherein said first routine receives session tags add- 
ed to sad browsing commands, said central proxy 
system employing said session tags to associate 
said Substitute identifiers with each of saxl browsing 
commands. 

17. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 
session information specific to said users and ac- 
cessible by said server sites. 

18. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 
electronic payment information, said users employ- 
ing said electronic payment information to engage 
in anonymous commerce with said server sites. 

19. The central proxy system as recited in Claim 1 fur- 
ther comprising an initializing routine that con- 
structs said site-specific substitute identifiers from 
data specific to said users and communicates said 
site-specific substitute identifiers to said first rou- 
tine. 

20. A peripheral proxy system for coupling to a network 
and for allowing at least one user to browse a server 
site on said network anonymously via a central 
proxy system, said peripheral proxy system com- 
prising: 

a computer-executable first routine that con- 
structs a particular substitute identifier from da- 
ta received from a particular user and 
a computer-executable second routine that 
transmits said particular substitute identifier to 
said central proxy system, said central proxy 
system retransmitting said particular substitute 
identifier to said server site and thereafter re- 
transmitting browsing commands received 
from said particular user to said server site. 

21. The peripheral proxy system as recited in Claim 20 
wherein said data c mprises identification data and 
a user definable character string supplied by said 
particular user 
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22, The peripheral proxy system as recited in Claim 20 
where* said particular substitute identifier compris- 
es a particular substitute user name and a particular 
substitute user password. 

23, The peripheral proxy system as recited in Claim 20 
wherein said first routine constructs a particular 
substitute electronic mail address for said particular 
user from said data. 

24, The peripheral proxy system as recited in Claim 20 
wherein sad first routine constructs said particular 
substitute identifier from an address of said server 
site, said particular substitute identifier therefore 
being specific to said server site. 

The peripheral proxy system as recited in«aim 20 
wherein said server site is a World Wide Web site 
capable of presenting at least one web page to said 
users, said central proxy system transmitting said 
particular substitute identifier to said server site un- 
der direction of said particular user 

26. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system said particular 
substitute identifier to said server site based on ai- . 
phanumeric codes supplied in web page fields by 
said user. 

27. The peripheral proxy system as recited in Claim 26 
wherein said alphanumeric codes are arranged in 
escape sequences. 

2ft. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a computer-executable third routine that re- 
moves portions of sad browsing commands that 
would dentify said particular user to said server 
site. 

29. The peripheral proxy system as recited in Claim 28 
where* sad first and second routines are execut- 
able on a computer system associated with sad 
particular user and said central proxy system is a 
computer system having a network address differ- 
ent from sad computer system associated with sad 
particular user. 

3a The peripheral proxy system as recited in Claim 20 
wherein sad central proxy system further compris- 
es a data store capable of containing electronic mail 
destined for sad particular user. 

31. The peripheral proxy system as recited in Claim 20 
wherein sad first routine constructs said particular 
substitute identifier by applying pseudo-random 
and hash functions to sad data received fr m sad 
particular us r 
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32. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a data store capable of containing an electronic 
mailbox for said particular user and specific to said 
server site. s 

33. The peripheral proxy system as recited in Claim 32 
wherein said electronic mailbox has a key associ- 
ated therewith, said key being a function of said da- 
ta and an index number. to 

34. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a computer-executable routine that, given said 
particular substitute identifier, collects electronic 
mail destined for said particular user and contained 
within at least two electronic mailboxes. 

35. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- *° 
es a computer-executable marker routine that adds 
session tags to said browsing commands, said 
proxy system employing said session tags to asso- 
ciate said particular substitute identifier with each 

of said browsing commands. 2S 

36. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a data store capable of containing session infor- 
mation specific to said particular user and access*- *> 
ble by said server site. 

37. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a data store capable of containing electronic pay- as 
ment information, said particular user employing 
said electronic payment information to engage in 
anonymous commerce with said server site. 

38. A method for use with a network having a server *o 
site capable of being browsed by users and for al- 
lowing said users to browse said server site on said 
network anonymously via said proxy system, said 
method comprising the steps of: 

45 

constructing a particular substitute identifier 
from data received from a particular user 
transmitting said particular substitute identifier 
to said server site; and 

thereafter retransmitting browsing commands so 
received from said particular user to said server 

site. 

39. The method as recited in Claim 38 wherein said da- 
ta comprises identification data and a user defina- 55 
ble character string supplied by said particular user. 

40. The method as recited in Claim 36 wherein said par- 



ticular substitute identifier comprises a particular 
substitute user name and a particular substitute us- 
er password. 

41. The method as recited in Claim 38 further compris- 
ing the step of constructing a particular substitute 
electronic mail address for said particular user from 
said data. 

42. The method as recited in Claim 38 wherein said 
step of constructing comprises the step of con- 
structing said particular substitute identifier from an 
address of said server site, said particular substitute 
identifier therefore being specific to said server site. 

43. The method as recited in Claim 38 wherein said 
server site is a World Wide Web site capaWe of pre- 
senting at least one web page to said users, said 
method further comprising the step of transmitting 
said particular substitute identifier to said server site 
under direction of said particular user. 

44. The method as recited in Claim 38 wherein said 
step of transmitting comprises the step of transmit- 
ting said particular substitute identifier to said server 
she based on alphanumeric codes supplied in web " 
page fields by said user. 

46. The method as recited in Claim 44 wherein said al- 
phanumeric codes are arranged in escape se- 
quences. 

46. The method as recited in Claim 38 further compris- 
ing the step of removing portions of said browsing 
commands that would identify said particular user 
to said server site. 

47. The method as recited in Claim 46 wherein said 
step of constructing is performed on a computer 
system associated with said particular user and 
said steps of transmitting and thereafter transmit- 
ting are performed on a computer system having a 
network address different from sad computer sys- 
tem associated with said particular user. 

48. The method as recited in Claim 38 further compris- 
ing the step of storing electronic mail destined f r 
said particular user. 

49. The method as recited in Claim 38 wherein said 
step of constructing comprises the step of applying 
pseudo-random and hash functions to said data re- 
ceived from said particular user. 

5a The method as recited in Claim 38 further compris- 
ing the step f creating an electronic mailbox for 
said particular user and specific to said server site. 
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51. The method as recited in Claim 50 wherein said 
electronic maitoox haa a key associated therewth. 
said key being a function of said data and an index 
number. 

52. The method as recited in Claim 38 further compris- 
ing the step of collecting electronic mail destined for 
said particular user and contained within at least 
two electronic mailboxes given said particular sub- 
stitute identifier. 

53. The method as recited in Claim 38 further compris- 
ing the step of adding session tags to sad browsing 
commands, said proxy system employing said ses- 
sion tags to associate said particular substitute 
identifier with each of said browsiig commands. 

54. The method as recited in Claim 38 further compris- 
ing the step of storing session information specific 
to said particular user and accessible by said server 20 

site. 

55. The method as recited in Claim 38 further compris- 
ing the step of storing electronic payment informa- 
tion, said particular user employing said electronic 2S 
payment information to engage in anonymous com- 
merce with said server site. 
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Location: 



Welcome to Janus! 



Janus is a system to pcrsoaalirf awnyTOus Web access. 

Jajws gw*^^ mnmtgii untraceable aliases far you from the 
in&^ywipnmdeitttto JwusnntherrtMtha 
in&rmuxn Wussoittoaar$CTer. Consequentially Janus does 
notauthennoteyou. Younust prank the same mfannanon in future 
sessions to generate the same aliases. 
YouwiOseeth&fonnoiriyonceatihebe^ You 
cannot change the input to Janus during the rat of your session, 
unless Jama detects that it Ms to authenticate you. 

ywouK to any server. Maamal sae far user name and seeds is 1000 characters each. 
Eater your user n^ (use your E-mail address): 

i i 

Enter your secret must contain at least 8 characters): 

I . I 

V erify your secret by typing it again: 

i i 
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site, but te art requiring registration, which is a cne-tiine only 
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Cboon a tabwiber ID for lis lew Ye* THtant on the 



<aaao> 



lAsuniuo five characters 



Choose a passwords 



i liimunum five characters 



Re-tttee password for coafirautiofl? 

Ii 1 



Ester yov e-mail address 



H<oooo> 




18 



EP0855 6S9A1 




EP0855 659A1 




20 



